[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2018-08-23 Thread JIRA 


[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16590784#comment-16590784
 ] 

Jan Høydahl commented on SOLR-11495:


I think we should keep them enabled as is, including xmlparser, and instead 
focus on fixing security issues along the way as well as document how to 
disable qparsers in “taking Solr to production” chapter.

> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>Priority: Major
>
> Virtually all of the query parsers that Solr supports are enabled by default, 
> in a map created in QParserPlugin.java.
> To reduce the possible attack surface of a default Solr installation, I 
> believe that the list of default parsers should be limited to a small handful 
> of the full list that's available. I will discuss specific ideas for that 
> list in comments.
> I think the bar should be very high for admission to the default parser list. 
> That list should only include those that are most commonly used by the 
> community. Only the most common parsers will have had extensive review for 
> security issues.
> _Edit_: moved description from "Docs Text" field where it was initially added 
> mistakenly.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-17 Thread David Smiley (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207916#comment-16207916
 ] 

David Smiley commented on SOLR-11495:
-

+1 to everything Yonik has said here.

I think instead of removing registered parsers, we should tackle SOLR-11501

+0 to removing the pre-registered xmlparser (in particular) so that you have to 
explicitly register it.

> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-17 Thread Yonik Seeley (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207700#comment-16207700
 ] 

Yonik Seeley commented on SOLR-11495:
-

There are two types of QParsers: those that implement a full query language 
(like XML parser), and those that implement a little bit of necessary 
functionality and are meant to be composable and used within other qparsers.

For example, take the "field" qparser: it was done so clients could do a simple 
term filter (like when doing facet drilldowns) without having to know/care 
about any kind of escaping rules for the Lucene parser.

QParsers are the only implemented entry points into so much of Solr's query 
functionality (join, graph, block-join, frange, spatial, json-dsl, payload, etc)
Aside from the back compat issues, and rendering the JSON Query DSL useless, 
removing certain parsers for "security" reasons means that people would be wary 
of enabling them (and we'll get tons of questions like "is it safe to enable 
XYZ?"). We should fix any security vulnerabilities we know about (and parsers 
are no more vulnerable than other parts of the system like faceting,  
highlighting, etc).

Aside from that, we should take things on a case-by-case basis.  For example, a 
query parser that invoked Tika IMO that we probably would probably not want 
to enable by default and put in contrib instead.


> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-17 Thread Shawn Heisey (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207667#comment-16207667
 ] 

Shawn Heisey commented on SOLR-11495:
-

[~cpoerschke], IMHO: I don't know that exotic parsers really need to be 
contrib.   We just need to ensure that they're not loaded by default.  They can 
always be enabled in solrconfig.xml if somebody really needs the functionality 
and understands the risks.  I'm not opposed to the idea of a contrib module, I 
just don't think it's really necessary.  Let's see what Yonik has to say on the 
subject.

[~arafalov], if we remove the automatic load of xmlparser, I think this is the 
proper syntax in solrconfig.xml (top level, right under ) to re-enable 
it:

{code}

{code}


> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-17 Thread Christine Poerschke (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207184#comment-16207184
 ] 

Christine Poerschke commented on SOLR-11495:


Irrespective of parsers being loaded by default or not, I've started SOLR-11496 
umbrella ticket to add javadocs with examples for any QParserPlugin classes 
that currently do not have them.

Might there also be an opportunity here to consider moving some of the more 
exotic parsers (I would count {{defType=xmlparser}} into that category and I'm 
sure there are others) out of {{solr/core}} and into a new contrib? Say with 
8.0 these parsers would be a contrib only?

> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-16 Thread Alexandre Rafalovitch (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206889#comment-16206889
 ] 

Alexandre Rafalovitch commented on SOLR-11495:
--

What would enabling a disabled parser look like? Would that mean a flag passed 
in at startup?

P.s. Is there a reason the case description is instead in the "Docs Text" 
field? That feels new, if not strange.

> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-16 Thread Shawn Heisey (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206765#comment-16206765
 ] 

Shawn Heisey commented on SOLR-11495:
-

If the outcome of this (after discussion and investigation) is just to remove 
the XML parser, I'm OK with that.

I do think it would be a good idea to take a close look at each parser enabled 
by default just to survey the functionality and make sure that nothing can get 
out.


> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-16 Thread Yonik Seeley (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206526#comment-16206526
 ] 

Yonik Seeley commented on SOLR-11495:
-

XML is the special case here... it's introduced security exploit after security 
exploit because of it's ability to make HTTP calls itself.
I think disabling other parsers is the wrong approach and will frustrate users 
while not really increasing security (they are not inherently less secure if 
you exclude XML).
In addition, the JSON query DSL depends on these qparsers (that's how it's 
boolean was implemented).
Many of these are "plugins" instead of "builtins" just out of a matter of 
convenience, and I'd argue they are inherently an integral part of the query 
language.

> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-16 Thread Gus Heck (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206486#comment-16206486
 ] 

Gus Heck commented on SOLR-11495:
-

It would be nice if this were paired with a convenient but reasonably secure 
way to enable anything no longer included by default. By convenient, I mean 
centralized... i.e. not editing a file on every deployed node.

> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

2017-10-16 Thread Shawn Heisey (JIRA) 

[ 
https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206467#comment-16206467
 ] 

Shawn Heisey commented on SOLR-11495:
-

This is how I think we should initially define the default list:

{code}
map.put(LuceneQParserPlugin.NAME, LuceneQParserPlugin.class);
map.put(FunctionQParserPlugin.NAME, FunctionQParserPlugin.class);
map.put(DisMaxQParserPlugin.NAME, DisMaxQParserPlugin.class);
map.put(ExtendedDismaxQParserPlugin.NAME, 
ExtendedDismaxQParserPlugin.class);
{code}

This list corresponds to these parser names:  lucene, func, dismax, edismax

I almost didn't include the function query parser in that list.  It is one of 
the more complex parsers we have, and therefore might be potentially vulnerable 
to exploit ... but I think it's probably so commonly used that it would break a 
lot of installs to remove it.

For a lot of the remaining parsers, there are strong arguments for inclusion in 
the default list, but anytime a parser is considered for inclusion, we need to 
weigh how widely used that parser is against the possible risks of increasing 
the attack surface.  Is the terms query parser likely to be exploitable?  That 
would take a code review to determine.


> Reduce the list of which query parsers are loaded by default
> 
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: query parsers
>Affects Versions: 7.0
>Reporter: Shawn Heisey
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org